EMC Documentum Content Server Multiple Vulnerabilities (ESA-2015-131)

high Nessus Plugin ID 85544

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of EMC Documentum Content Server running on the remote host is affected by multiple vulnerabilities :

- A privilege escalation vulnerability exists due to improper authorization checks performed on subgroups within the dm_superusers group. An authenticated, remote attacker can exploit this to gain super-user privileges, thus allowing access to data or unauthorized actions on the Content Server. Note that the previous fix for this issue (CVE-2014-4622) was incomplete. (CVE-2015-4531)

- A privilege escalation vulnerability exists due to improper authorization and object type checks performed during the handling of RPC commands that involve the dm_bp_transition method. An authenticated, remote attacker can exploit this, by using a crafted script, to gain elevated privileges, thus allowing unauthorized actions, such as the execution of arbitrary code. Note that the previous fix for this issue (CVE-2014-2514) was incomplete. (CVE-2015-4532)

- A privilege escalation vulnerability exists due to improper authorization checks during the handling of custom scripts. An authenticated, remote attacker can exploit this to gain elevated privileges, thus allowing unauthorized actions on the Content Server. Note that the previous fix for this issue (CVE-2014-2513) was incomplete. (CVE-2015-4533)

- A remote code execution vulnerability exists due to the Java Method Server (JMS) not properly validating digital signatures for query strings without the 'method_verb' parameter. An authenticated, remote attacker can exploit this, via a crafted digital signature for a query string, to execute arbitrary code in the JMS context, depending on what Java classes are present in the classloader. (CVE-2015-4534)

- An information disclosure vulnerability exists due to a flaw in the Java Method Server (JMS) in how login tickets are logged in certain instances when the
__debug_trace__ parameter is enabled. An authenticated, remote attacker with access to the logs can exploit this to gain access to super-user tickets. (CVE-2015-4535)

Solution

Apply the relevant patch referenced in the vendor advisory.

See Also

https://seclists.org/bugtraq/2015/Aug/att-86/ESA-2015-131.txt

Plugin Details

Severity: High

ID: 85544

File Name: emc_documentum_content_server_ESA-2015-131.nasl

Version: 1.6

Type: local

Agent: windows

Family: Windows

Published: 8/19/2015

Updated: 11/22/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2015-4534

Vulnerability Information

CPE: cpe:/a:emc:documentum_content_server

Required KB Items: installed_sw/EMC Documentum Content Server

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/17/2015

Vulnerability Publication Date: 8/17/2015

Reference Information

CVE: CVE-2015-4531, CVE-2015-4532, CVE-2015-4533, CVE-2015-4534, CVE-2015-4535

BID: 76409, 76410, 76411, 76413, 76414